Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to display average in month based count?

btcs2
Engager
‎03-18-2022 08:25 AM

| chart count over date_month by seriesName  , I have a search that display counts over month by seriesname . but instead of this count i need to display average of the count over month by series name .. 

 

date_month seriesName 1 seriesName 2 seriesName 3

 
1 march % % %
2 feb % % %
Labels (6)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 03:08 AM

OK so you don't want the average, you want the percentage of the total for the month that each series has?

| bucket span=1mon _time 
| stats count by _time seriesName
| eval date_month=strftime(_time,"%b")
| eventstats sum(count) as total by date_month
| eval percentage=round(100*count/total,2)."%"
| xyseries date_month seriesName percentage

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-18-2022 08:34 AM

If you want to display daily average during that month, try something like this

Your base search
| bucket span=1d _time 
| stats count by _time seriesName
| eval date_month=strftime(_time,"%b")
| chart avg(count) over date_month by seriesName
0 Karma
Reply
Solved! Jump to solution

btcs2
Engager
‎03-21-2022 01:25 AM

Not working as expected . its just give count ,not giving average

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 02:20 AM

The example given by @somesoni2 does seem to do what you seem to have asked for.

If it is not working for you, please can you share the search you are actually using, so we can try to see why?

0 Karma
Reply
Solved! Jump to solution

btcs2
Engager
‎03-21-2022 02:56 AM

Yes that query works but that's not what i was looking for .. may be my requirement is not clear 

The average should be in such a way that  (row wise) like in the month of match 15 percentage of event is series 1 and 35 percentage is series 2 and 50 percentage is series 3 . series is nothing but events like offer created or something.  i can show example ..

Find average to the total events in that month to each event(occurrence percentage of each events compare to total events for each month)

 

date_monthseries1series2series3
March15%35%50%
February16%36%48%

 

base query | chart count over date_month by seriesName  this is the query  that we use now . it gives count in expected way ..

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 03:08 AM

OK so you don't want the average, you want the percentage of the total for the month that each series has?

| bucket span=1mon _time 
| stats count by _time seriesName
| eval date_month=strftime(_time,"%b")
| eventstats sum(count) as total by date_month
| eval percentage=round(100*count/total,2)."%"
| xyseries date_month seriesName percentage
0 Karma
Reply
Solved! Jump to solution

btcs2
Engager
‎03-21-2022 06:00 AM

Thank you so much .. !!  its working  as expected . need to learn all these 🙂 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...